Config: enabling low port access ?
GP lisper
How do I configure Opera to allow very low TCP port access?
All I get is
"Access to this port is disabled for security reasons"
while a telnet connection (to the port in question of course) to the
remote box works fine. I suppose I need to use something else.
Firefox gives a better warning message at least.
TIA
Yngve N. Pettersen (Developer, Opera Software)
Those ports are dedicated port for protocols that could be abused to
compromise computer systems, and implementations of at least some of
those protocols are known to have bad error handling, and might ignore
some parts of a HTTP, while obeying other parts of the same request,
exposing a security vulnerability. This is particularly a problem if
access to the server is limited to a particular network (like an
intranet).
When using non-standard ports for HTTP servers, ports in the range
from 1024 and above should be used. Ports in the range 1-1023 are
frequently reserved for system protocols or major protocol like HTTP
and HTTPS.
Jorgen Grahn
> On Mon, 12 Oct 2009 22:01:36 -0700, GP lisper
> <spam...@CloudDancer.com> wrote:
>
>>
>>How do I configure Opera to allow very low TCP port access?
>>All I get is
>>
>>"Access to this port is disabled for security reasons"
>>
>>while a telnet connection (to the port in question of course) to the
>>remote box works fine. I suppose I need to use something else.
>>Firefox gives a better warning message at least.
I guess he means you mean you type in http://example.com:8/something,
trying to talk HTTP to TCP port 8 (or any other low number).
> Those ports are dedicated port for protocols that could be abused to
> compromise computer systems, and implementations of at least some of
> those protocols are known to have bad error handling, and might ignore
> some parts of a HTTP, while obeying other parts of the same request,
> exposing a security vulnerability.
Please explain. If Opera has so large security holes that you can
break security just by trying to talk to a friendly finger- or chargen
server, surely it's completely defenseless against a *real* attacker
waiting on port 80?
I don't think that is what you mean. Opera would be laughing stock
everywhere if it was like that.
> This is particularly a problem if
> access to the server is limited to a particular network (like an
> intranet).
>
> When using non-standard ports for HTTP servers, ports in the range
> from 1024 and above should be used. Ports in the range 1-1023 are
> frequently reserved for system protocols or major protocol like HTTP
> and HTTPS.
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
Eirik Byrkjeflot Anonsen
> On Tue, 2009-10-13, Yngve N. Pettersen (Developer, Opera Software) wrote:
>> On Mon, 12 Oct 2009 22:01:36 -0700, GP lisper
>> <spam...@CloudDancer.com> wrote:
>>
>>>
>>>How do I configure Opera to allow very low TCP port access?
>>>All I get is
>>>
>>>"Access to this port is disabled for security reasons"
>>>
>>>while a telnet connection (to the port in question of course) to the
>>>remote box works fine. I suppose I need to use something else.
>>>Firefox gives a better warning message at least.
>
> I guess he means you mean you type in http://example.com:8/something,
> trying to talk HTTP to TCP port 8 (or any other low number).
Exactly.
>> Those ports are dedicated port for protocols that could be abused to
>> compromise computer systems, and implementations of at least some of
>> those protocols are known to have bad error handling, and might ignore
>> some parts of a HTTP, while obeying other parts of the same request,
>> exposing a security vulnerability.
>
> Please explain. If Opera has so large security holes that you can
> break security just by trying to talk to a friendly finger- or chargen
> server, surely it's completely defenseless against a *real* attacker
> waiting on port 80?
>
> I don't think that is what you mean. Opera would be laughing stock
> everywhere if it was like that.
:)
It's the opposite. The vulnerability is in the server that opera would
connect to.
The particular attack Yngve refers to is to have a publically available
web site with a link that is designed to break some specific service at
an internal address. Thus you can attack a service on the inside of a
firewall from the outside of the firewall. You only need to get someone
inside the firewall to click on your link.
eirik
Jorgen Grahn
Oh, I see.
I think it's the vulnerable service's fault, and that it's best for
everybody if it gets DOSes so it gets obvious that it needs fixing ...
but I can respect Opera's choice. It makes *some* kind of sense.
GP lisper
Well, in order to setup your mentioned link, someone already has too
much access. Keeping a webserver inside an important network is the
sign of braindead design, given the long history of web exploits. I
suppose Opera's choice here makes some people feel comfortable, since
it really does nothing to stop the problem.
FYI: the new 'links' works fine, as would any LWP perl program, or
adding some port redirection in a firewall or squid.
GP lisper
Notice that I said 'remote box'.
/etc/services is full of deadwood btw
Eirik Byrkjeflot Anonsen
The "attacking" link isn't on the inside of the network. It just have
to be accessible from inside the network. Putting it in a comment on
slashdot would be good enough.
There doesn't need to be a web server inside the network at all. As
long as there is any server of any kind (e.g. smtp, ntp, pop, smb) which
is vulnerable against malformed data, a web browser on the inside of the
network can be used to proxy an attack.
Of course, the "correct" solution is to make all servers invulnerable to
such attacks. But we know that many people will put vulnerable servers
on internal networks, set up the firewall to block external access, and
expect that to be sufficient.
eirik